General
Target

Attached is list of our purchase order.exe

Filesize

1018KB

Completed

21-05-2022 18:49

Task

behavioral1

Score
10/10
MD5

51c0b8ed8fefbc54a2dee932441e60f5

SHA1

f1725101ee1c02864a3e829d08d9062d9f05a694

SHA256

ab654da16e2c42b2547b884c79f0829214b34e0d1db7ab0ad23271a66f3298c3

SHA256

1d596345a1e54f24de8e2b2d086eed00ec822caab7b985abae37df15d300419ef0e0dc81d7154b73c89a2fa74b9fecc4d42f7fb09f56cb0e33e415056baf8804

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

capricorn1967.com

meucarrapicho.com

41230793.net

yoghurtberry.com

wv0uoagz0yr.biz

yfjbupes.com

mindfulinthemadness.com

deloslifesciences.com

adokristal.com

vandergardetuinmeubelshop.com

janewagtus.com

cloudmorning.com

foresteryt01.com

accident-law-yer.info

divorcerefinance.guru

wenxiban.com

589man.com

rockerdwe.com

duftkerzen.info

igametalent.com

yoursafetraffictoupdates.review

jialingjiangpubu.com

maximscrapbooking.com

20sf.info

shadowlandswitchery.com

pmbnc.info

shoppingdrift.online

potashdragon.com

ubkswmpes.com

064ewj.info

Signatures 12

Filter: none

Defense Evasion
Persistence
  • Formbook

    Description

    Formbook is a data stealing malware which is capable of stealing data.

  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    Description

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    Tags

  • Formbook Payload

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1596-56-0x0000000010410000-0x000000001043D000-memory.dmpformbook
    behavioral1/memory/1740-59-0x0000000000000000-mapping.dmpformbook
    behavioral1/memory/1740-61-0x0000000010410000-0x000000001043D000-memory.dmpformbook
    behavioral1/memory/1236-71-0x00000000000D0000-0x00000000000FD000-memory.dmpformbook
  • Adds policy Run key to start application
    msiexec.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JT7PVFKPWFM = "C:\\Program Files (x86)\\internet explorer\\ieinstal.exe"msiexec.exe
    Key created\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Runmsiexec.exe
  • Adds Run key to start application
    msiexec.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runmsiexec.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of SetThreadContext
    ieinstal.exemsiexec.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1740 set thread context of 12601740ieinstal.exeExplorer.EXE
    PID 1740 set thread context of 12601740ieinstal.exeExplorer.EXE
    PID 1236 set thread context of 12601236msiexec.exeExplorer.EXE
  • Modifies Internet Explorer settings
    msiexec.exe

    TTPs

    Modify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\Registry\User\S-1-5-21-1083475884-596052423-1669053738-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2msiexec.exe
  • Suspicious behavior: EnumeratesProcesses
    ieinstal.exemsiexec.exe

    Reported IOCs

    pidprocess
    1740ieinstal.exe
    1740ieinstal.exe
    1740ieinstal.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
  • Suspicious behavior: MapViewOfSection
    ieinstal.exemsiexec.exe

    Reported IOCs

    pidprocess
    1740ieinstal.exe
    1740ieinstal.exe
    1740ieinstal.exe
    1740ieinstal.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
    1236msiexec.exe
  • Suspicious use of AdjustPrivilegeToken
    ieinstal.exemsiexec.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1740ieinstal.exe
    Token: SeDebugPrivilege1236msiexec.exe
  • Suspicious use of WriteProcessMemory
    Attached is list of our purchase order.exeExplorer.EXEmsiexec.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1596 wrote to memory of 17401596Attached is list of our purchase order.exeieinstal.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1260 wrote to memory of 12361260Explorer.EXEmsiexec.exe
    PID 1236 wrote to memory of 16361236msiexec.exeFirefox.exe
    PID 1236 wrote to memory of 16361236msiexec.exeFirefox.exe
    PID 1236 wrote to memory of 16361236msiexec.exeFirefox.exe
    PID 1236 wrote to memory of 16361236msiexec.exeFirefox.exe
    PID 1236 wrote to memory of 16361236msiexec.exeFirefox.exe
Processes 24
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe
      "C:\Users\Admin\AppData\Local\Temp\Attached is list of our purchase order.exe"
      Suspicious use of WriteProcessMemory
      PID:1596
      • C:\Program Files (x86)\internet explorer\ieinstal.exe
        "C:\Program Files (x86)\internet explorer\ieinstal.exe"
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        PID:1740
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:432
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:392
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1396
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:816
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:1508
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:736
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:808
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      PID:476
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1016
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1696
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:748
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:536
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:972
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1776
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1780
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:612
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1924
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1748
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      PID:1476
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      Adds policy Run key to start application
      Adds Run key to start application
      Suspicious use of SetThreadContext
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        PID:1636
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • C:\Users\Admin\AppData\Roaming\-65A6372\-65logim.jpeg

                        MD5

                        6c2bb8356a7beaee984971e15c64cfc2

                        SHA1

                        065cdddf14f0641d0023caac9f34e5c099ad904a

                        SHA256

                        0aca76e1b8a9e0210a6e1c842e8a3ca63840530a6fecdd22bab7390f7bd99a96

                        SHA512

                        1f6f8aaaae64ff59ae7066f4f42a907cd8f2b99652cded9d33c9c333760db87144aeb1d30be12949659c217efb2ddc7c1ec32d2e6dfbcdfac143b1bea5e3cf98

                      • C:\Users\Admin\AppData\Roaming\-65A6372\-65logrf.ini

                        MD5

                        2f245469795b865bdd1b956c23d7893d

                        SHA1

                        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

                        SHA256

                        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

                        SHA512

                        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

                      • C:\Users\Admin\AppData\Roaming\-65A6372\-65logri.ini

                        MD5

                        d63a82e5d81e02e399090af26db0b9cb

                        SHA1

                        91d0014c8f54743bba141fd60c9d963f869d76c9

                        SHA256

                        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

                        SHA512

                        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

                      • C:\Users\Admin\AppData\Roaming\-65A6372\-65logrv.ini

                        MD5

                        ba3b6bc807d4f76794c4b81b09bb9ba5

                        SHA1

                        24cb89501f0212ff3095ecc0aba97dd563718fb1

                        SHA256

                        6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

                        SHA512

                        ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

                      • memory/1236-73-0x0000000000A60000-0x0000000000AF3000-memory.dmp

                      • memory/1236-72-0x0000000002110000-0x0000000002413000-memory.dmp

                      • memory/1236-71-0x00000000000D0000-0x00000000000FD000-memory.dmp

                      • memory/1236-70-0x00000000003C0000-0x00000000003D4000-memory.dmp

                      • memory/1236-68-0x0000000000000000-mapping.dmp

                      • memory/1260-67-0x0000000006E20000-0x0000000006F9A000-memory.dmp

                      • memory/1260-64-0x0000000006200000-0x000000000637D000-memory.dmp

                      • memory/1260-74-0x0000000006FA0000-0x00000000070E8000-memory.dmp

                      • memory/1596-56-0x0000000010410000-0x000000001043D000-memory.dmp

                      • memory/1596-54-0x0000000075781000-0x0000000075783000-memory.dmp

                      • memory/1740-66-0x00000000002E0000-0x00000000002F4000-memory.dmp

                      • memory/1740-61-0x0000000010410000-0x000000001043D000-memory.dmp

                      • memory/1740-59-0x0000000000000000-mapping.dmp

                      • memory/1740-57-0x0000000010410000-0x000000001043D000-memory.dmp

                      • memory/1740-63-0x0000000000250000-0x0000000000264000-memory.dmp

                      • memory/1740-62-0x00000000021E0000-0x00000000024E3000-memory.dmp